Data Processing Addendum

Last updated: April 2026

This Data Processing Addendum ("DPA") supplements the FieldsHub Terms of Service and forms part of the agreement between Beewist ("Processor") and the customer organization ("Controller"). It describes how Beewist processes personal data on the Controller's behalf in connection with the Service. Customers requiring a signed DPA may request one at legal@beewist.com.

1. Roles & Scope

Beewist acts as a Processor of personal data submitted by the Controller (and its authorized users) into the Service. The Controller determines the purposes and means of processing.

2. Subject Matter, Duration, and Categories

Subject matter: Provision of the FieldsHub construction-management Service.
Duration: For the term of the Controller's subscription, plus retention periods set out in our Privacy Policy.
Nature and purpose of processing: Hosting, storing, transmitting, computing, displaying, and otherwise processing data to operate the Service and its features (including AI inference, SMS, email, mapping, and payments).
Data subjects: Controller's administrators, managers, workers (employees and subcontractors), accountants, customers/homeowners.
Categories of personal data: Names, email, phone, role, GPS location at clock-in, photos, billing/payment metadata, project/customer details, communications metadata.
Special categories: Limited; may include workplace-injury descriptions if uploaded by Controller.

3. Processor Obligations

Beewist will:

Process personal data only on the Controller's documented instructions, including those set out in the Service configuration and these Terms.
Ensure persons authorized to process personal data have committed to confidentiality.
Implement appropriate technical and organizational measures (see Section 6).
Assist the Controller, taking into account the nature of processing, with data-subject rights requests.
Assist the Controller with data-protection-impact assessments and prior consultations where required.
Make available information necessary to demonstrate compliance and allow audits as set out in Section 8.
Inform the Controller without undue delay if an instruction infringes applicable data-protection law.

4. Subprocessors

The Controller authorizes Beewist to engage the subprocessors listed below to process personal data on its behalf. Beewist remains responsible for each subprocessor's performance.

Provider	Purpose	Region
Microsoft Azure	Hosting, database, blob storage	United States
Stripe, Inc.	Subscription billing & payments	United States
Twilio, Inc.	SMS delivery (OTP, notifications)	United States
Google LLC	Google Maps Platform (geocoding, map tiles)	United States
Upstash, Inc.	Rate-limit cache	United States

We will give at least 30 days' advance notice of new or replacement subprocessors via email or in-app notice. The Controller may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Controller may terminate the affected portion of the Service.

5. International Data Transfers

The Service is hosted in the United States. Where personal data of EEA, UK, or Swiss residents is transferred to the U.S., the parties rely on the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum, which are deemed incorporated into this DPA by reference for the affected data subjects.

6. Security Measures

Encryption in transit (TLS 1.2+) and encryption at rest for sensitive fields and stored files.
Role-based access control with least-privilege defaults.
Multi-factor authentication for administrative access.
Audit logging of administrative and security-relevant events.
Vulnerability management, dependency scanning, and routine patching.
Network segmentation, hardened images, and managed cloud infrastructure.
Incident-response plan with defined roles and notification SLAs.
Annual review of policies and access lists.

7. Data Breach Notification

We will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Controller's personal data. Notification will include the nature of the breach, categories and approximate number of data subjects, likely consequences, and measures taken or proposed.

8. Audits

Beewist will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA. The Controller may request an audit (no more than once per year, unless a breach has occurred) on at least 30 days' notice, conducted during business hours, subject to confidentiality, and at the Controller's expense.

9. Return & Deletion

Upon termination of the Service, the Controller may export its personal data via the in-product export tools for up to 90 days. After that period, Beewist will delete or anonymize remaining data within 30 days, except where retention is required by law. Backup copies are overwritten on a rolling basis (up to 35 days).

10. Liability

Liability under this DPA is subject to the limitations and exclusions in the Terms of Service.

11. Contact

Privacy: privacy@beewist.com
Legal / signed DPA requests: legal@beewist.com